About This Document

These detection points are part of the OWASP AppSensor project which advocates bringing intelligent intrusion detection inside the application. These detection points can be used to identify a malicious user that is probing for vulnerabilities or weaknesses within your application.

RE5: Additional/Duplicated Data in Request

Additional unexpected parameters or HTTP headers, or duplicates, are received with the request.

consideration

Additional parameters may be an attempt to override values or to exploit unexposed functionality. Duplicated parameters may be an indication of attempted HTTP parameter pollution.

Beware of firing this detector when additional cookies, not used by the application, are found (as opposed to duplicated cookies) since these may relate to third-party code (e.g. advertisements, analytics) or some other application.

Note that extra HTTP headers may be added by intermediate proxies, and unless the network configuration is fixed (an internal network perhaps), additional headers cannot be controlled and thus cannot be used to infer existence of a potential attacker.

AuthenticationException

AE1: Use Of Multiple Usernames

id

AE1

title

Use Of Multiple Usernames

category

AuthenticationException

description

Multiple usernames are attempted when logging into the application. The assignment of login attempts to a user can be based off of a sessionID given to the user when they visit the website. Correlating based on IP address is difficult since multiple users could be using the site from the same IP address (e.g. corporate NAT)

AE8: Providing Only The Username

id

AE8

title

Providing Only The Username

category

AuthenticationException

description

The user submits a post request which only contains the username variable. The password variable has been removed. This is different from only providing the username in the login form since in that case the password variable would be present and empty.

consideration

examples

The user uses a proxy tool to remove the password variable from the submitted post request.

AE9: Providing Only The Password

id

AE9

title

Providing Only The Password

category

AuthenticationException

description

The user submits a post request which only contains the password variable. The username variable has been removed. This is different from only providing the password in the login form since in that case the username variable would be present and empty.

consideration

examples

The user uses a proxy tool to remove the username variable from the submitted post request.

SessionException

SE1: Modifying Existing Cookies

A request is received containing a cookie with a modified value. This could be determined if the cookie is modified to an illegal value.

consideration

examples

The user uses a proxy tool to change the encrypted cookie to an alternative value which does not properly decode within the application. Or, the user modifies an unencrypted cookie and sets an illegal value for a particular variable.

User A's session is compromised and User B begins using the account. The requests originating from User B will possibly contain a different source IP address the User A. The source IP addresses could be the same if both users where behind the same NAT.

SE6: Change Of User Agent Mid Session

id

SE6

title

Change Of User Agent Mid Session

category

SessionException

description

The User-Agent value of the header changes during a session. This indicates a different browser is now being used. Although this value is under the control of the sender, a change in this may indicates that the session has been compromised and is being used another individual. This will likely not be the case that the user has simply copied and pasted the URL from one browser to another on the same system because this action would not copy over the appropriate session identifiers.

consideration

Optionally also include other HTTP headers in this check. For example, the Accept-Encoding and Accept-Language headers do not normally change and could be concatenated with the User-Agent and hashed to created an identifier.

The ideas described in Panopticlick and Javascript Browser Fingerprinting can also be used to fingerprint a particular client system but require the use of client-side code. Application owners should check the legality of collecting data, and whether it is considered "personal data" which may have additional constraints in some jurisdictions.

AccessControlException

ACE1: Modifying URL Arguments Within a GET For Direct Object Access Attempts

id

ACE1

title

Modifying URL Arguments Within a GET For Direct Object Access Attempts

category

AccessControlException

description

The application is designed to use an identifier for a particular object, such as using categoryID=4 or user=guest within the URL. A user modifies this value in an attempt to access unauthorized information. This exception should be thrown anytime the identifier received from the user is not authorized due to the identifier being nonexistent or the identifier not authorized for that user.

The value of a non-free text html form element (i.e. drop down box, radio button) is modified to an illegal value. The value either does not exist or is not authorized for the user.

consideration

examples

The user uses a proxy tool to intercept a post request and changes the posted value to a value that was not available through the normal display. For example, the user encounters a dropdown box containing the numbers 1 through 10. The user selects 5 and then intercepts the post to change the submitted value to 100.

ACE4: Evading Presentation Access Control Through Custom Posts

id

ACE4

title

Evading Presentation Access Control Through Custom Posts

category

AccessControlException

description

A post request is received which is not authorized for the current user and the user could not have performed this action without crafting a custom POST request. This situation is most likely to occur when presentation layer access controls are in place and have removed the user's ability to initiate the action through the presentation of the application. An attacker may be aware of the functionality and attempt to bypass this presentation layer access control by crafting their own custom message and sending this in an attempt to execute the functionality.

consideration

examples

The application contains the ability for an administrator to delete a user. This method is normally invoked by entering the username and posting to https://oursite/deleteuser
Presentation layer access controls ensure the delete user form is not displayed to non-administrator users. A malicious user has access to a non-administrator account and is aware of the delete user functionality. The malicious user sends a custom crafted post message to https://oursite/deleteuser in an attempt to execute the delete user method.

InputException

IE1: Cross Site Scripting Attempt

id

IE1

title

Cross Site Scripting Attempt

category

InputException

description

The HTTP request contains common XSS attacks which are often used by attackers probing for XSS vulnerabilities. Detection should be configured to test all GET and POST values as well as all header names and values for the following values.

consideration

examples

The user uses a proxy tool to add an XSS attack to the header value and the """"displayname"""" post variable. The header value could be displayed to an admin viewing log files and the """"displayname"""" post variable may be stored in the application and displayed to other users. Note, the following xss attacks would be used by an attacker to probe for vulnerability. An actual XSS attack would be customized by the attacker.

IE2: Violations Of Implemented White Lists

id

IE2

title

Violations Of Implemented White Lists

category

InputException

description

The application receives user-supplied data that violates an established white list validation.

consideration

examples

The user submits data that is not correct for the particular field. This may not be attack data necessarily, but repeated violations could be an attempt by the attacker to determine how an application works or to discover a flaw.

IE3: Violations Of Implemented Black Lists

id

IE3

title

Violations Of Implemented Black Lists

category

InputException

description

The application receives user-supplied data that violates an established black list validation.

consideration

examples

The application receives user-supplied data that violates an established black list validation. This may not be attack data necessarily, but repeated violations could be an attempt by the attacker to determine how an application works or to discover a flaw or to exploit a flaw. This black list approach suffers from the potential for greater false positives than IE2 above, and cannot be used to identify all potential malicious data.

EE2: Unexpected Encoding Used

id

EE2

title

Unexpected Encoding Used

category

EncodingException

description

An HTTP request is received which contains values that have encoded in an unexpected format.

consideration

examples

The user encodes an attack such as alert(document.cookie) into the UTF-7 format and sends this data the application. This could bypass validation filters and be rendered to a user in certain situations.

CommandInjectionException

CIE1: Blacklist Inspection For Common SQL Injection Values

id

CIE1

title

Blacklist Inspection For Common SQL Injection Values

category

CommandInjectionException

description

A request is received which contains common SQL injection attack attempts. The point of this detection is not to detect all variations of a SQL injection attack, but to detect the common probes which an attacker or tool might use to determine if a SQL injection vulnerability is present. Unless the site contains some sort of message board for discussing SQL injection, there is little reason that the SQL injection examples should ever be received from a user request.

consideration

examples

The user sends a request and modifies a URL parameter from category = 5 to category = 5' OR '1' = '1 in an attempt to perform an SQL injection attack. The user could perform similar attacks by modifying post variables or even the request headers to contain SQL injection attacks.
' OR '1'='1
' OR 'a'='a
' OR 1=1--
xp_cmdshell
UNION
JOIN

CIE2: Detect Abnormal Quantity Of Returned Records

A database query is executed which returns more records than expected. For example, if the query should only return 1 record and 100 records are returned, then something has likely gone wrong.

consideration

examples

The application is designed to allow a user to maintain 5 profiles. A user makes a request to view all of their profiles. The database query, which is expected to always return 5 or less results, returns 10,000 records. Something in the application, or user's actions, has caused unauthorized data to be returned.

UT2: Speed Of Application Use

id

UT2

title

Speed Of Application Use

category

UserTrendException

description

The speed of requests from a user indicates that an automated tool is being used to access the site. The use of a tool may indicate reconnaissance for an attack or attempts to identify vulnerabilities in the site.

consideration

examples

The user utilizes an automated tool to request hundreds of pages per minute.